More on outbound firewall rules

In a previous article, I mentioned two firewall rules that every network should have: blocking outbound DNS (udp/53 and tcp/53), and blocking outbound SMTP (tcp/25). I'd like to suggest a few more rules to add to that list.
The first rule to add is blocking of outbound Windows NetBIOS/SMB/RPC requests. Windows networking requests should never, never, NEVER leave an internal network. Period. If you have a situation where you need to communicate with an external IP using Windows networking, I have two suggestions for you:

find another way to accomplish your goal, because the way you are doing it isn't correct; or

setup a VPN connection to the external IP and force the requests to cross the VPN tunnel.

By blocking NetBIOS/SMB/RPC, you will prevent your internal systems from connecting to potentially malicious external hosts. Malware often attempts to initiate NetBIOS/SMB connections. Malware is bad. Go block the following services outbound:

tcp/135

tcp/139

tcp/445

udp/137

udp/138

My next rule suggestion is kind of cheating, because I'm going to suggest a rule to supersede the previous three: block all outbound TCP and UDP traffic between ports 0 and 1024 (and consider blocking all ports up to 65535). This moves toward implementing the theory of "default deny". Just as the default is deny for inbound traffic with specific exceptions, the default should be deny for outbound traffic with only specific exceptions. Then you can permit the services that should be allowed outbound, and while doing that you can write business justifications for allowing the traffic. Here are some suggested exceptions for an outbound default deny: